PKI Blog

Despite the documented shortcomings of the Simple Certificate Enrollment Protocol (SCEP), it is still in widespread use today. This is in large part due to the lack of better options when it comes to certificate enrollment – especially when it comes to more limited devices such as mobile phones, tablets, and constrained Internet-of-Things (IoT) devices such as embedded systems, sensors, automotive components, or medical devices. The simplicity of SCEP makes it an attractive choice for implementers that are bent on meeting tight timelines, but this simplicity can come at a cost.

Fog Computing: When the Cloud is Not Enough

How Do We Manage the Massive Amounts of Data Generated by the IoT?

The Internet of Things (IoT) market and its exponential growth are bringing many improvements and considerable revenue to almost every conceivable vertical. Now that most industries have a handle on what the IoT is, the public is watching it benefit both consumers and businesses alike. The IoT is generating detailed insights into consumer behavior, thereby improving product design and functionality, and also, according to Cisco, accelerates response to events, which ultimately enhances safety, improves service levels and increases output.

The Explosion of Cloud-based Apps and the IoT are Creating the Need to Reinforce PKI Environments

The takeover of the cloud has brought countless businesses to pursue cloud migration over the past few years in an effort to take advantage of cost and operational efficiencies. The shift began with storage and simpler applications such as email, and has progressed to more complex applications, many of which require authorization and security to be used.

Healthcare devices through the ages: what was once a cumbersome trip to the doctor for testing, followed by a series of manual documentation steps, is now a convenient, internet-connected wearable device that automates the transmission of patient information. Implanted devices are only one of many different wearable devices out on the market today. The majority of wearable healthcare devices connect to an internet or cloud-based system that allows users to interact with those devices while transmitting information to be used for actionable medical insight.

IoT Security: the area of the information security industry aimed at securing devices, data, people and applications within the Internet of things (IoT).

What makes IoT Security so important? The growth of internet-connected data, devices, applications and users has exploded exponentially. IoT is carrying over into such a wide array of products and services: mobile devices, wearables, medical devices; everything under the sun can now be connected to the internet.

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor. CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3rd-party Mobile Device Management (MDM) products.

If you’re reading this, there’s a good chance you’ve already seen thereportsabout the security ramifications of issuing certificates to mobile devices using the Simple Certificate Enrollment Protocol (more information on our site here). We’ve received many inquiries about how to determine whether a given system is at risk, and if so, what levels of exposure may be involved. Complicating the issue is the sheer number of Mobile Device Management (MDM) products that exist, and the wide variety of configuration options within them. Because of all this variability, simply asking, “Is {Product X} affected?” can lead to over-simplified answers that might still leave you exposed to risk.

Assessing the risk of a given MDM deployment can be a bit nuanced, as there are a number of factors that come into play. The primary criteria to examine when making an assessment are:

CLEVELAND, OH – June 28, 2012. Researchers at Certified Security Solutions, Inc. (CSS), a leading information security company, have uncovered a potentially serious security issue pertaining to the use of the Simple Certificate Enrollment Protocol (SCEP) in conjunction with mobile devices. Organizations that leverage SCEP to issue digital certificates to mobile devices may be subject to a privilege escalation attack.

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.